Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October In the Line of Fire: Defending Highly Visible Targets Jeremy Poteet, CISSP Chief Security Officer, appDefense
OWASP AppSec DC Introduction What is a highly visible application? Begin at the beginning Stories from the trenches Hope - it can be done OWASP
OWASP AppSec DC You might be a highly visible site if … … the press shows up for the deployment of your app … any error message shows up in hundreds of blogs … you can’t count the number of sites whose sole purpose is to list attack plans and provide tools for breaking into your application … every hacker, security want-to-be and activist would love to use your site to make a statement … CNN displays when your site is sluggish on their tickertape
OWASP AppSec DC What makes a highly visible site Crown Jewels Money Data Notoriety What it Represents Making a Statement Users + Focus
OWASP AppSec DC Signature of a highly visible site Complex Systems Multiples Technologies Developers Servers Applications Highly volatile Something to lose
OWASP AppSec DC Highly visible is the same Still web applications Same issues still apply In ideal world, it doesn’t matter Applications don’t always start as highly visible Best practices still apply
OWASP AppSec DC Highly visible is different Time to Impact Coordination Number of Cooks External Visibility Cascading
OWASP AppSec DC Begin at the Beginning Learn from the past Only as strong as the foundation Know what is expected Information is your best friend Prepare for failure
OWASP AppSec DC Dealing With Application Complexity Team based system Geographic systems Custom PDF Generation File Upload and Downloads Memory Leak, Scalability or DOS? Powerful apps = High promotion Quick resolution to issues
OWASP AppSec DC The Debates Highest volume Visibility Outward - Press Outward - Voters Inward - Staff Large volume of data Real time responses Debate timeline changes
OWASP AppSec DC Walling off failure Isolating Systems From Impacting Each Other Database Segregation Application Separation Access Toggling Additional Monitoring Scalability
OWASP AppSec DC Volume of Attacks High Volume usage goes with High Volume attacks Cover Visibility Assist in attacks Convention/Debate/Elections Maximum Impact
OWASP AppSec DC Caching Minimize data access and processing Bleed over Client vs. Server Shifting of responsibility Level of Control
OWASP AppSec DC Complete Architecture Shift Rapid Switch Rules Reset Configure Rather than Recode Assume Nothing Contingency Plan
OWASP AppSec DC Perception Worst Case Scenario Rising Visibility Increased and Focused Attacks Gut Check Perception is Everything
OWASP AppSec DC No site is an island Branding Integrated Tools Integrated Sites Feeds Applications are wide ranging Perception and reality must meet
OWASP AppSec DC Beneath the noise Constant Attacks High Volume Pages Concentrated Volume Sub-Pages - Understanding how the application functions Coordinated Attacks
OWASP AppSec DC Out of Your Control s from application systematically spammed Data is the system Pandora’s Box Containment Damage Control
OWASP AppSec DC Data Mines Elaborate system of mines Access Mechanism Used Timestamp Monitoring Tracking Allows the weak link to be located quickly
OWASP AppSec DC Hope - It Can Be Done No Silver Bullet Requires Creativity Commitment Diligence Begin With the Basics Information is Key
OWASP AppSec DC OWASP Guide Top 10 Specific Tools Put Back In Take the Advantage
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October In the Line of Fire: Defending Highly Visible Targets Jeremy Poteet, CISSP Chief Security Officer, appDefense